ERM Chapter 5 Risk Culture

ISO 31000:2018 29 Minutes

Risk culture evaluates how individuals impact the risk management process and helps define what constitutes an effective risk culture for an organization. It also involves analyzing risk appetite and tolerance, exploring their importance to goal achievement, and addressing the need for and structure of risk appetite statements. Embedding the right risk culture within the broader organizational culture can be critical to the success or failure of risk management efforts—and, as global examples show, even to the organization’s overall survival. By defining risk appetite, tolerance, and capacity, organizations gain clarity on how much risk they can handle and are prepared to accept in pursuit of their goals. This understanding helps identify which risks matter most and determines the level of effort needed to address them. Achieving an acceptable level of risk often demands shifts in mindset, behavior, and the organization’s risk culture. Together, risk culture and appetite ensure that the most relevant risks are properly evaluated and managed, safeguarding and enhancing the organization’s value while supporting its objectives.

Culture is often described as ‘how things are done here,’ but it encompasses more—encompassing the shared ideas, customs, knowledge, beliefs, and behaviors of groups, whether in society or organizations. Risk culture parallels this but centers on how people perceive, interpret, and handle risks. Defining risk culture is challenging, yet it reflects the collective mindset of management at all levels, shaping how individuals act in specific situations and how they feel compelled to act consistently. The Institute of Risk Management (IRM) defines risk culture as the ‘values, beliefs, knowledge, and understanding of risk shared by a group with a common purpose, such as employees or teams within an organization.’ A positive risk culture can grow stronger over time through a reinforcing cycle of actions and behaviors that align with the organization’s ideal standards. Conversely, tolerating dysfunctional behaviors can spiral into a destructive cycle, fostering a harmful risk culture. Leaving risk culture to chance—allowing individuals or teams to approach risk haphazardly—is inadequate. Building a proactive risk culture involves:

  • Clearly communicating expectations to all staff through tools like policies, presentations, newsletters, onboarding, documents, posters, and job roles.
  • Persuading employees that effective risk management benefits them personally.
  • Engaging staff in identifying risks to boost their commitment.
  • Offering training to embed proper practices and understanding.
  • Investing in robust IT security tools and maintaining transparent, well-communicated monitoring of IT use.

A robust risk culture empowers people to consistently make sound decisions in the right way, even in a fast-paced, complex, and interconnected environment. Such a culture equips management to determine viable actions, navigate difficult trade-offs, and weigh the pros and cons of their decisions effectively.Kier Group plc emphasizes a strong risk management culture in its 2024 annual report. The company follows a Performance Excellence approach to develop its people, processes, and projects consistently. Instead of assigning a single non-executive director to engage with employees, all directors participate in Visible Leadership Tours (VLT) to understand workplace culture and concerns firsthand. The Board ensures that policies, practices, and behaviors align with the company’s values and goals. Safety remains a top priority, with continuous efforts to improve health and safety standards for employees and suppliers. In FY25, Kier focused on strengthening risk management through performance lifecycle management, while Commercial Directors helped build a risk-aware and resilient culture by identifying, evaluating, and managing risks in contracts.

Real-world examples in this section illustrate that organizations can exhibit either a positive or negative risk culture, often revealed through their risk management processes and control environment. For instance, risk management might be viewed as a valuable tool that enhances an organization’s ability to meet or exceed its goals, or it could be treated as a mere compliance-driven checklist. The importance of a proactive and intentional tone from leadership was addressed in Unit 2’s Risk Strategy within the ERM Framework. A positive risk culture enables individuals and teams to effectively integrate risk management into the organization, fostering an appreciation for its benefits and its potential to drive positive outcomes. Encouraging people to confront significant, often overlooked ‘elephant’ risks fosters greater transparency in the risk culture. Culture pertains not to individuals alone but to groups—typically teams or organizations, though it can extend to cities or nations. The COSO ERM Framework, updated in 2017, acknowledged that even a top-tier ERM system fails to deliver value without a supportive risk culture. As highlighted, the revised framework describes enterprise risk management as the ‘culture, capabilities, and practices, woven into strategy development and implementation, that organizations use to manage risk while creating, preserving, and realizing value.’

5.1 People and risk culture

While culture originates with individuals, it ultimately characterizes groups. Each person possesses a unique personality, which can be evaluated through various methods and techniques to create a profile of their traits and assess their fit for specific roles. This systematic approach, known as personality profiling, allows individuals to explore their core personality, work preferences, and strengths, while also shedding light on how others perceive them, how they collaborate, and how they might adjust their traits to suit their work environment or handle crises. Specific profiling methods focused on risk assess an individual’s inclination toward risk-taking, gauging their willingness to embrace risk and their resilience when facing it. The IRM’s risk culture framework places personal risk preference at the heart of risk culture, showing how it interacts with personal ethics, behaviors, and the broader organizational culture to shape risk attitudes. The ideal personality traits often vary depending on the organization and its context. For example, a spontaneous, convention-challenging CEO might drive value creation in a startup, while a systematic, compliant approach is essential for protecting value in regulated sectors. Traits like caution or pessimism might seem undesirable but can be vital in safety-critical fields like oil and gas, aviation, or construction. Conversely, resilience and boldness may suit leaders naturally, though these can sometimes push organizations toward risky or unwise decisions when restraint might be wiser. Although personality traits solidify by adulthood, an individual’s risk preference doesn’t fully predict their behavior in real scenarios—flexibility in adapting to context is highly prized in managers. Moreover, risk predisposition alone shouldn’t determine someone’s suitability for a role, task compatibility, or performance level, nor does it imply one trait outshines another. Understanding risk predisposition, however, helps clarify differing perspectives on risk, influencing factors like risk tolerance, perceptions of riskiness, preparation efforts, opportunity recognition, and the commitment to managing and monitoring risks.

IRM Risk Culture Framework

Risk perceptions

A person’s risk predisposition isn’t the sole factor shaping how they perceive risks. It’s easy to assume individuals have complete information about a risk and can assess it rationally and effectively, but each person’s unique perspective leads to varied interpretations. Risk has an objective dimension (e.g., the measurable chance of rain tomorrow) and a subjective one, influenced by psychological, cultural, and intangible factors, which can cause individuals to either downplay or exaggerate its seriousness. Perceptions of risk can differ across an organization’s hierarchy—senior leaders might overlook operational risks on the ground, while frontline workers may miss broader strategic risks. These perceptions also evolve with time and experience. Such variation matters because it can lead to flaws in risk identification, where critical risks are overlooked, and unimportant ones are flagged. Key challenges tied to differing risk perceptions include:

  • Variations in how people define and recognize risks (risk identification).
  • Individuals concealing risks or highlighting misleading ones for personal gain rather than organizational benefit (risk identification).
  • Differing opinions on the probability of a risk occurring (risk analysis).
  • Uneven understanding of a risk’s potential impact and scope (risk analysis).
  • Deliberate under- or overstatement of risk severity for self-serving reasons rather than supporting organizational goals (risk analysis).
  • Disagreement on what constitutes an acceptable risk level (risk evaluation).
  • Misjudgments leading to flawed or inconsistent data, hindering proper risk assessment and response.
  • The existence of true ‘unknown unknowns,’ risks beyond detection through standard methods (as explored with known unknowns in Unit 3).

These differences highlight that risk assessment is inherently inconsistent across individuals. No two people share identical views, and no one perceives risks with perfect objectivity, as personal biases shape their judgments. This creates two significant risks:

  • Organizations may handle identical risks unevenly based on who’s managing them, amplifying overall uncertainty.
  • Risk managers might prioritize addressing stakeholders’ perceived fears to gain favor, rather than tackling the most critical risks objectively.

Risk attitude—how people respond to uncertainty based on whether they see it as an opportunity, neutral, or a threat—hinges on these perceptions. This, in turn, affects each stage of the risk management process and shapes strategic choices.

Risk biases

Bias is a tendency to favor or oppose a person or group based on experience, assumptions, social norms, or judgment. Cognitive bias occurs when the brain simplifies information processing based on personal experiences and preferences, which may not always be accurate. The Board of Innovation identified 16 cognitive biases that can impact decision-making, including:

  • Confirmation bias – believing information that supports our existing views.
  • Conformity bias (groupthink) – being influenced by the majority, even against personal judgment.
  • Authority bias – giving more weight to ideas from authority figures.
  • Bandwagon bias – adopting ideas because others already have.
  • Anchoring bias – relying too much on familiar information.

As decisions become more strategic and impactful, recognizing these biases becomes crucial. Hillson and Murray-Webster (2007) discuss common biases, describing them as “gut feelings” or heuristics, including availability, representativeness, and confirmation traps. Group biases like groupthink, cultural conformity, and cautious or risky shifts also affect decision-making. Risk perception is shaped by three key influences: conscious, subconscious, and emotional factors. While it is not necessary to analyze all biases in every decision, being aware of them helps understand risk attitudes, behaviors, and overall risk culture within an organization.

Conscious factors (situational)Subconscious factors (cognitive bias)Affective factors (feelings and emotions)
FamiliarityAvailabilityFear
ManageabilityRepresentativenessHate
Proximity / velocity / clock speedAnchoring and adjustmentSadness
Size of impactConfirmation trapJoy
Organisational cultureBandwagonDesire
Common influences on risk perception

5.2 Risk culture models

Numerous models exist to assist organizations in comprehending, evaluating, and enhancing their risk culture, each emphasizing distinct elements or signs of risk culture. For instance, Deloitte’s model, outlined in their paper ‘Enabling Risk Intelligent Cultures,’ identifies four key influencers of risk culture: risk competence, motivation, relationships, and organization.

1. LILAC models

The LILAC model serves as a framework for assessing risk culture, drawing from research by the UK’s Health and Safety Executive (HSE). This research emerged in response to significant rail disasters in the UK during the 1980s and 1990s, prompting Her Majesty’s Railway Inspectorate (HMRI) to commission a safety culture inspection toolkit focused on a select set of indicators affecting safety culture. The resulting five indicators of a strong safety culture are:

  • Leadership – fostering a constructive safety culture
  • Two-way communication – robust channels for communication flowing top-down, bottom-up, and across levels
  • Staff involvement – meaningful participation from employees
  • A learning culture – capturing lessons, sharing them, and applying improvements
  • A just culture – shifting from blame to accountability, while prioritizing employee well-being

These elements form the acronym LILAC: Leadership, Involvement, Learning, Accountability, and Communication. Hopkin and Thompson note that integrating risk management into everyday work practices is a long-term goal for most organizations, offering examples of how this risk-aware culture might manifest. Beyond safety, LILAC also applies to broader risk management areas, such as training and the control environment, topics revisited in later Units.

2. ABC model

The ABC model aims to explain the origins of risk culture through three components:

  • Risk Attitude – the stance an individual or group takes toward risk, shaped by how they perceive it
  • Risk Behaviour – the visible, risk-related actions individuals exhibit
  • Risk Culture – the collective values, beliefs, knowledge, and understanding of risk shared by a group united by a common goal

Risk culture impacts both risk attitude and risk behaviour, while risk attitude influences risk behaviour, and risk behaviour, in turn, contributes to shaping risk culture. Hillson delves deeper, addressing two common misunderstandings about the ABC model:

  • “First, risk attitudes are distinct from risk culture. It’s inaccurate to label an organization as having a ‘risk-averse culture’ or ‘risk-seeking culture,’ as terms like risk-averse or risk-seeking refer to attitudes, not culture.”
  • “Second, risk behaviour differs from risk culture. Describing risk culture as ‘how we handle things around here regarding risk’ is misleading, since ‘handling things’ pertains to behaviours, not culture.”

Thus, behaviours are the measurable aspect, evaluable through tools like surveys or interviews. Risk attitude is defined as ‘the organization’s long-term perspective on risk, characterized by the 4Cs: comfort, cautious, concerned, and The ABC model aims to explain the origins of risk culture through three components:

  • Risk Attitude – the stance an individual or group takes toward risk, shaped by how they perceive it
  • Risk Behaviour – the visible, risk-related actions individuals exhibit
  • Risk Culture – the collective values, beliefs, knowledge, and understanding of risk shared by a group united by a common goal

Risk culture impacts both risk attitude and risk behaviour, while risk attitude influences risk behaviour, and risk behaviour, in turn, contributes to shaping risk culture. Hillson delves deeper, addressing two common misunderstandings about the ABC model:

  • “First, risk attitudes are distinct from risk culture. It’s inaccurate to label an organization as having a ‘risk-averse culture’ or ‘risk-seeking culture,’ as terms like risk-averse or risk-seeking refer to attitudes, not culture.”
  • “Second, risk behaviour differs from risk culture. Describing risk culture as ‘how we handle things around here regarding risk’ is misleading, since ‘handling things’ pertains to behaviours, not culture.”

Thus, behaviours are the measurable aspect, evaluable through tools like surveys or interviews. Risk attitude is defined as ‘the organization’s long-term perspective on risk, characterized by the 4Cs: comfort, cautious, concerned, and critical,’ and can be depicted within a risk matrix.critical,’ and can be depicted within a risk matrix.

3) Double ‘S’ Model

The IRM Risk Culture paper highlights the Double ‘S’ model as a valuable tool for understanding broader organizational culture, framing it through two core dimensions:

  • Sociability – the people-oriented aspect, reflecting the quality of social interactions, plotted on the vertical axis
  • Solidarity – the task-oriented aspect, centered on goals and team performance, plotted on the horizontal axis

The model posits that high sociability fosters unity and a shared sense of purpose in a connected workplace, while strong solidarity ensures effective execution of risk controls and actions. The model identifies four cultural types—fragmented, networked, communal, and mercenary—none of which is inherently superior. Each suits different organizational contexts. For instance, strong sociability can inspire individuals to exceed their role’s expectations, working harder for the ‘community’s’ success. Yet, it can also lead to drawbacks, such as overlooking poor performance due to friendships or prioritizing consensus over tough decisions. Conversely, high solidarity builds relationships around shared goals and enables rapid team mobilization during crises. However, an overemphasis on tasks can backfire if the strategy is flawed, neglecting broader organizational health, or if individuals focus on self-interest, asking, ‘What’s in it for me?’ You might notice parallels between the Double S Model and the Decision-making Style Matrix, which also maps a spectrum from task/technical to people/social focus along one axis. Most personality and culture models hinge on these two dimensions, a point reinforced in the IRM Risk Culture paper. Research suggests that, regardless of the specific risk culture framework, organizations should enhance both sociability and solidarity to improve risk management effectiveness.

5.3 Successful Risk Culture

What defines a strong risk culture? It involves a deep understanding and positive mindset toward risk, fostering sound decisions and behaviors. This is demonstrated as organizations shift from merely responding to incidents to proactively identifying and managing risks effectively. A robust risk culture empowers and incentivizes individuals and teams to take calculated risks wisely. Key elements of a successful risk culture include:

  1. A clear, consistent message from leadership—both the board and senior management—about risk-taking and avoidance, with attention to the tone across all levels.
  2. A dedication to ethical standards, shown through focus on individuals’ ethical profiles, ethical decision-making, and consideration of broader stakeholder perspectives.
  3. Widespread recognition within the organization of the need for ongoing risk management, with defined accountability and ownership for specific risks.
  4. Open, prompt sharing of risk-related information throughout the organization, where bad news travels quickly without fear of reprisal.
  5. Promotion of risk event reporting and whistleblowing, with a proactive approach to learning from errors and near misses.
  6. Clarity around risks, ensuring no process, activity, or complexity obscures their understanding.
  7. Recognition and rewards for appropriate risk-taking, alongside challenges to and consequences for unsuitable behaviors.
  8. Valuing and nurturing risk management expertise, supported by a well-funded risk management team and broad engagement with professional networks.
  9. Support for professional credentials and technical training, paired with diverse viewpoints to continually question the norm.
  10. Integration of culture management with employee engagement and HR strategies, balancing social support with task focus.

These ten components—from a unified leadership tone to aligning culture with people strategies—form the backbone of an effective risk culture. The paper notes that analyzing corporate failures often reveals the absence of many of these traits. To achieve their desired risk culture, boards are encouraged to ask themselves ten reflective questions, largely tied to these components, to evaluate their expectations and aspirations:

  1. What example do we set from the top? Are we consistently and visibly guiding how our people should handle risk?
  2. How do we define clear responsibilities for risk managers and ensure they’re held accountable?
  3. What risks does our current culture pose, and what cultural shift is needed for our goals? Can staff speak freely without fear?
  4. How do we uphold our stated values in resolving risk challenges? Do we regularly address this and let it shape decisions?
  5. Do our structure, processes, and rewards bolster or undermine our ideal risk culture?
  6. How do we proactively gather insights from risk events and near misses—ours and others’—and embed lessons learned? Do we humbly view ourselves through stakeholders’ eyes?
  7. How do we handle whistleblowers and legitimate concerns? When did we last face this?
  8. How do we encourage balanced risk-taking and address extreme tendencies (overly cautious or reckless)?
  9. How do we ensure new hires adopt our cultural values quickly and veterans maintain aligned attitudes and actions?
  10. How do we foster risk awareness and skills development at all levels? What risk training have we, as a board, undertaken?

Measuring risk culture

Various models exist to assist organizations in understanding, evaluating, and enhancing their risk culture, with a simple online search revealing tools and methods from numerous consultants. These typically involve posing a series of questions to individuals at different roles and levels within an organization to assess its risk culture, often through surveys or interviews. To gain a comprehensive view of culture across all levels, an organization-wide survey can be employed. However, for some, this might feel overly demanding, so targeted surveys sampling individuals or using a ‘proxy’ (someone authorized to represent others) from each level and team can suffice. Alternatively, some organizations opt for a more tailored, personal touch by conducting interviews with key personnel. Surveys offer a broad, diverse snapshot of organizational culture, providing a structured, measurable way to tackle a subjective topic. This allows for comparisons between teams or against industry peers, using mostly ‘closed’ questions with preset answer options, though some may include ‘open’ questions for free-text responses to capture answers in respondents’ own words. Interviews, on the other hand, delve deeper into the drivers of risk culture, enabling interviewers to seek clarification, ask follow-ups, and probe further. To ensure reliability, interviews should follow a standardized question set, with interviewers taking care to avoid bias in both the questions and their delivery. They’re particularly valuable for capturing insights from senior leaders, like executives or board members. Some organizations combine surveys and interviews, ensuring questions across both methods align for consistent results. Regardless of the approach, questions should be customized to the organization or segment under review and kept concise to boost participation and quality of responses. From a financial services standpoint, the UK’s Prudential Regulator stresses the importance of using diverse data sources and assessment methods to gauge risk culture. The paper also recommends that organizations regularly evaluate their risk culture, pinpoint issues, and address them as frequently as practical.

One framework for assessing risk culture organizes eight elements into four key themes:

  • Tone from the Top
    • Risk leadership – providing clear guidance
    • Dealing with bad news – openness to unfavorable updates
  • Governance
    • Accountability – well-defined responsibility
    • Transparency – timely and clear risk information
  • Decisions
    • Informed risk decisions – the quality of decision-making insight
    • Reward – recognition for suitable risk-taking
  • Competency
    • Risk resources – the standing, support, and authority of the risk function
    • Risk skills – integration of risk management expertise

This Risk Culture Aspects model connects to the Double ‘S’ model, where ‘Dealing with bad news,’ ‘Reward,’ and ‘Risk Skills’ primarily influence sociability, while the remaining five elements contribute more to strengthening solidarity.

Changing risk culture

Evaluating an organization’s risk culture should pinpoint issues and their underlying causes, paving the way for cultural improvements. However, such changes hinge on first assessing the existing culture and defining the target culture. Transforming risk culture is often a gradual, extended effort. The Association for Federal Enterprise Risk Management (AFERM) indicates that establishing a compliant risk management framework may take 1-2 years, while developing a fully mature risk management process could span 5-10 years. By comparing the current risk culture to the desired state, organizations can identify quick wins and impactful, visible shifts. Per the ABC model, risk attitude drives risk behavior, which shapes risk culture, subsequently reinforcing both behavior and attitude. Positive adjustments can spark a ‘virtuous’ cycle, while unchecked negative attitudes and behaviors perpetuate a ‘vicious’ cycle.

Steps to transform risk culture include:

  • Assessing the existing risk culture (Where are we now?).
  • Evaluating its effects (Where do we aim to be?).
  • Pinpointing areas for enhancement (What must change?).
  • Designing and executing the cultural shift.
  • Tracking progress and adjusting as needed.

5.4 Risk appetite and tolerance

In exploring risk evaluation, we address a critical ‘so what?’ question in the risk management process. Having established our operational context and objectives, and identified and ranked the risks we face to prioritize the most significant ones, we must decide: do these risks require action, or are they tolerable as they stand? To answer this, we first need to define what ‘acceptable’ means for us. For an organization to maintain a uniform risk management approach enterprise-wide, those handling risks must know the severity threshold that triggers a response. Without clarity on when to act or accept a risk, inconsistencies arise, inflating the organization’s overall risk exposure as staff react to risks of similar magnitude based on personal risk attitudes rather than a cohesive organizational stance. While we typically assess acceptability from a threat perspective, we must also evaluate acceptable opportunities, recognizing that organizations won’t manage risks—whether threats or opportunities—at unlimited cost.

This acceptability hinges on a threshold, known as risk appetite, which is the level of risk an organization is willing to take to meet its goals. This threshold rests on four core principles:

  1. Interconnectedness – what’s tolerable in one area may not be in another.
  2. Measurability – the ability to quantify risk appetite for a consistent understanding of acceptability.
  3. Variability – the necessity for different appetites across various risks.
  4. Maturity – how the sophistication of an organization’s enterprise risk management (ERM), in both comprehension and execution, shapes its risk-taking willingness.

Key terms tied to risk appetite include Risk Capacity, Risk Tolerance, and Risk Appetite, alongside the concept of the Risk Universe. These terms are often intertwined and used synonymously, though they carry distinct nuances. The push to define this acceptability or risk appetite stems not just from the internal need to resolve the ‘so what?’ question, but also from external pressures, notably the UK Financial Reporting Council’s 2014 ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting.’ The guidance highlights risk appetite in several areas:

  • Section 2 – states that boards are tasked with ‘determining the nature and extent of principal risks and those the organization is prepared to accept to achieve strategic objectives (its “risk appetite”)’.
  • Section 5 – suggests that annual reviews of risk management and internal control effectiveness should consider ‘the company’s risk appetite, desired culture, and whether that culture is embedded.’
  • Appendix C – poses questions for boards, starting with risk appetite and culture, such as ‘How has the board set the company’s risk appetite?’ and ‘Who has it consulted?’

Though aimed at premium listed UK companies, risk appetite gained broader relevance post-2008 financial crisis, which exposed excessive risk-taking cultures in global financial services. UK charities are prompted to assess their risk appetite, the UK Government released a 2021 Risk Appetite Guidance Note, and the COSO 2017 ERM Framework lists ‘Define risk appetite’ as Principle 7, among others.Risk appetite being the positive, opportunity aspects of risk that organisations seek, such as the development of new products that will bring high returns but carry the potential to fail and result in losses. Risk appetite refers to the core mission or strategy of the organisation. Tolerance refers to the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long- term objectives. It provides limits to the amount of risk an organisation is willing to accept before taking some further risk treatment action to address the underlying drivers of risk. It also provides limits to the amount of opportunity an organisation is willing to pursue.Risk appetite being the positive, opportunity aspects of risk that organisations seek, such as the development of new products that will bring high returns but carry the potential to fail and result in losses. Risk appetite refers to the core mission or strategy of the organisation. Tolerance refers to the boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long- term objectives. It provides limits to the amount of risk an organisation is willing to accept before taking some further risk treatment action to address the underlying drivers of risk. It also provides limits to the amount of opportunity an organisation is willing to pursue.

1) Risk Capacity

Within our risk universe, certain risks are manageable. Risk capacity refers to ‘the threshold beyond which risk becomes unacceptable’—the point an organization cannot or chooses not to exceed. It is the amount of risk an organization should or can afford to bear. Historically linked to the insurance sector, risk capacity has been tied to decisions about deductible sizes or maximum insurance coverage relative to financial resources. Beyond finances, an organization’s risk capacity also hinges on factors like the resilience of its infrastructure, the strength of its reputation and brands, the competitiveness of its market, the skills of its workforce, and the reliability of its controls, among others. While we’ve framed risk capacity as the boundary we won’t cross, it also serves as both a springboard for calculated risk-taking and a buffer against losses. For instance, an organization may lack the capacity to absorb all risks in its universe—a health insurer, limited by financial constraints, might cap coverage levels to avoid exposure to costly conditions. To craft a solid risk management framework, leadership must clearly articulate and document which risks they’re prepared to accept and which they’ll reject. They must also stay attuned to the organization’s risk-bearing capacity—its financial stamina. Even if investors and directors push for a bold strategy, a risk event (like a failed product launch) exceeding available reserves could lead to insolvency if capacity isn’t adequately gauged.

2) Risk Tolerance

Risk tolerance is frequently conflated with risk appetite, yet they are distinctly different. Risk tolerance is defined as ‘the limits of risk-taking beyond which an organization will not venture in pursuit of its long-term goals.’ This definition elaborates that risk tolerance encompasses risks an organization might reluctantly endure if circumstances force its hand. It’s often framed in absolute terms, such as ‘we will not engage with specific customer types.’ These descriptions present a subtle tension: one views tolerance as risks that can be borne or allowed within a certain range, while the other aligns it more with a breaking point akin to risk capacity. In reality, risk tolerance occupies the ‘range’ between risk appetite and risk capacity. It represents a zone where risks can be temporarily withstood while proactive risk management works to reduce them to an acceptable level—sometimes called the ‘wiggle room’ beyond the preferred risk threshold. The UK Government’s risk guidance clarifies that risk tolerance, or a tolerable risk stance, differs from deliberately choosing to tolerate a risk as a management response.

3) Risk appetite

Risk appetite is characterized as ‘the extent of risk an organization is prepared to pursue or accept to achieve its long-term goals.’ This definition encompasses two aspects: risks the organization actively seeks and those it is willing to tolerate. Organizations aim to meet objectives—typically positive ambitions like boosting profits, expanding market share, or enhancing services. Boards generally embrace appropriate risks to realize these goals and thus have an appetite for them. Risk appetite covers risks an organization deliberately engages with, reflecting its strategic choices and methods. Conversely, it also includes risks it must accept as inherent to its operations, such as regulatory shifts beyond its control. In visual depictions, risk appetite isn’t centered within risk tolerance, showing that tolerance varies by risk type. For instance, at point A, there’s minimal tolerance for risks like health and safety or corruption, while between points B and C, there’s greater leeway for risks like project delays. Risks nearing capacity demand more effort to manage down to an acceptable level, while those closer to appetite require less. These risks are only tolerated temporarily, with active management to align them with appetite. Diagrams often portray risk appetite, tolerance, and the risk universe as zones or ranges, rooted in risk impact scales established early in risk management and tied to appetite and tolerance. If these are defined later in an organization’s risk maturity, appetite statements should shape impact scales, with adjustments made for alignment.

Though often shown in red, amber, and green, these diagrams don’t mirror a risk matrix’s positioning. During evaluation, risks in or near the matrix’s top-right (red) zone might still fall within appetite—either because they’re actively managed despite high likelihood and impact, or because they’re uncontrollable, like regulatory changes. In both cases, they’re acceptable for business operations and should be acknowledged as such. These visuals offer a top-down perspective on the risk universe, capacity, tolerance, and appetite, akin to a cross-sectional view linking them to performance over time. Within risk appetite lie two concepts: an optimal risk position, ‘the risk level an organization targets’ (aligned with appetite), and a tolerable risk position, ‘the risk level it can bear under current constraints’ (aligned with tolerance). These parallel the broader notions of appetite and tolerance. Regardless of terminology, clarity in defining these concepts within an organization is crucial. Risk appetite provides a decision-making framework, delineating both ideal and acceptable risk levels to support strategic goals. The guidance highlights benefits like reduced uncertainty, enhanced consistency in governance and decisions, sharper focus on priorities, and better resource allocation.

5.5 Risk appetite Statements

Establishing risk appetite is a cornerstone of effective corporate governance. The board holds the responsibility for defining the nature and scope of major risks it is prepared to embrace to fulfill the organization’s strategic aims. Thus, during strategic planning, directors and senior leaders must deliberately assess their risk appetite and tolerance—or the flexibility they have—in executing the strategy and meeting objectives. Some strategic elements may feel familiar and comfortable, or involve mandatory compliance (e.g., legal requirements), where the organization prefers to stick close to its established practices. Other elements may demand bolder moves and greater risk-taking. Risk appetite statements capture this distinction, outlining where the organization opts for more or less risk.

Consider a farm machinery manufacturer aiming to branch into electronically controlled indoor dairy equipment (‘robots’) to boost dairy yields, shifting from traditional outdoor milking. This aligns with a growing farming trend and offers expansion potential. However, moving from mechanical to high-tech electronic products introduces risks, potentially stretching beyond the company’s expertise and risking costly setbacks. If the company pursues this, it must evaluate the technical hurdles, investment needs, projected sales, competitive landscape, and profit margins. This analysis determines the total capital at stake if the venture fails, which is then weighed against the organization’s pre-set risk appetite and its risk-bearing capacity.

Risk appetite statements document these choices regarding appetite, tolerance, and capacity across the organization and its various levels. The steps to craft them are:

  1. Identify stakeholders and their expectations.
  2. Assess the organization’s overall risk exposure.
  3. Set the preferred level of risk exposure.
  4. Determine acceptable variation ranges for each risk type.
  5. Align current and target risk appetite and tolerances.
  6. Finalize, approve, and share the risk appetite statement.

These statements should tie into the organization’s risk classification system but can also be organized by risk sources (causes), impacts (effects), objectives at risk (linked to effects), or the risks themselves. The structure may reflect the organizational level—strategic, tactical, or operational—where the statements are developed.

Six guiding principles shape an effective risk appetite framework:

  1. Complexity – Simplifying too much can distort meaning.
  2. Measurability – Without it, statements lose practical value.
  3. Fluidity – Appetite varies across risks and evolves over time.
  4. Maturity alignment – It must match the organization’s risk management sophistication and be clearly supported.
  5. Multi-level perspective – It should span strategic, tactical, and operational viewpoints.
  6. Control integration – It must balance risk-taking and control, ensuring effective risk management and internal controls.

With these principles in mind, an approach to dissecting risk appetite elements can center on risk capability—a blend of risk capacity (the ability to absorb risks) and risk management maturity (the ability to handle them):

  • Capacity – Encompassing financial resources, infrastructure, reputation, and workforce expertise.
  • Maturity – Covering business context, risk systems, risk culture, and risk processes.

The list the requirements for risk appetite statements:

  • provide a structure for an organisation to work within. When correctly applied, statements describe acceptable outcomes relating to decisions being taken.
  • drive thinking about results and outcomes the organisation seeks to realise, as well as about what would need to change if outcomes were not acceptable
  • describe the organisation’s typical challenges and the basis on which different outcomes are justified
  • describe the organisation’s acceptable behaviour in reasonable circumstances. In circumstances where a decision is to be made and there are no directly comparable situations, risk appetite statements can provide illustrative guidance that can be adapted, documented and applied
  • be set against a sliding scale, with descriptors which are relevant to the organisation. This scale should demonstrate and reinforce the range of outcomes that are acceptable in different situations, and should be separate from scales used to assess the likelihood and impact of a risk
  • be dynamic and updated as necessary to reflect any significant changes in the context their organisations operate within, whether driven by societal, economic or political changes, for example.

These requirements are a useful checklist when designing risk appetite statements.

Developing a clear risk appetite and tolerance profile for an organization demands significant time from senior leaders to deliberate on the various risks it encounters, ensuring they provide clear guidance on which risks are acceptable. This overarching risk strategy might be summarized in a broad mission statement, such as one for a fictional budget airline: ‘We aim to be the top regional low-cost airline, targeting private and tourist travelers with modern, nearly new aircraft.’

This translates into a high-level risk appetite strategy, signaling that the airline avoids the risks of entering the long-haul market, sacrificing potential revenue from business travelers, while embracing the risk of investing in high-quality aircraft to enhance its brand and reputation. Such a statement serves as a qualitative, narrative expression of the organization’s risk appetite. Organizations might also craft more detailed narrative risk appetite statements. For instance, a charity might first assess risk appetite across different risk categories, then derive an organization-wide appetite by averaging these. This charity adopted a generally cautious stance on acceptable risk levels, though it allowed higher risk in certain categories. It stopped short of evaluating individual risks, however. Caution is warranted when averaging risk scores, especially if based on subjective opinions rather than hard data, as this can mask significant risks if the ‘average’ falls within an acceptable range, potentially overlooking critical outliers.

A simple risk appetite estimate

Tangible risk appetite statements

From the mission statement of the fictional budget airline—‘Our goal is to be the leading regional low-cost carrier, targeting private and tourist travelers with modern, nearly new aircraft’—a risk appetite statement is crafted, typically tied to relevant risk categories or specific risks.

This broad appetite statement must be distilled into practical segments. For instance, the airline’s risk appetite and tolerance might state:

  • We won’t accept operating routes with seat fill-rates below 50%, though we’ll allow a 5% deviation from this target.
  • We won’t tolerate fuel costs exceeding our business plan, but we’ll accept up to a 2% increase.
  • We have no interest in paying travel agent fees, yet we’ll permit direct booking service costs up to 3% of revenue.

On the opportunity side, it might add:

  • We aim to grow our route network to boost fare income by 20% over three years, accepting up to $5 million in additional expenses to make it happen.

Risk appetite statements can be detailed and tied to risks listed in the organization’s risk register. Some use key risk indicators as stand-ins for these statements, marking thresholds where approval is needed before proceeding further. For external stakeholders, high-level narrative statements are typically shared, balancing transparency about the organization’s risk direction with discretion over sensitive details. These often appear in annual reports.

To guide internal staff on acceptable risk levels and enable risk-informed decisions, risk appetite statements should span the organization and be concrete, measurable reflections of appetite and tolerance. These are commonly compiled into a Risk Appetite Statement document, part of a broader set of risk management materials alongside the Risk Management Policy and Manual. At a detailed level, these statements reflect delegated authority, setting risk-taking boundaries for individuals. Once specific statements are set, it’s wise to review them with staff and HR to ensure alignment with authority levels.

5.6 Risk appetite criteria

A critical element of risk appetite and tolerance lies in the criteria used to formulate risk appetite statements and how they’re established. Earlier in this unit, we discussed using:

  • Ranges to define risk appetite and tolerance
  • Risk impact rating scales to prioritize risks
  • A sliding scale for appetite and tolerance
  • Key risk indicators as early warnings of shifts in specific risks

Various metrics can shape risk appetite statements and criteria, but whether they target objectives, risk categories, or specific risks, the focus remains on determining what’s acceptable, unacceptable, and the range between these points. Risk appetite limits help convert strategic goals into actionable risk-taking boundaries and controls across an organization. It’s not just about capping risk beyond capacity but understanding appetite as a spectrum of desired outcomes—balancing excessive risk-taking against insufficient ambition. Some organizations adopt a ‘three-leg’ limit system (upper limit, trigger, lower limit or risk target), while leading practices favor a ‘four-leg’ system (upper and lower limits with corresponding triggers). Notably, these limits also act as triggers, prompting escalation and corrective steps. The UK Government’s 2021 risk appetite guidance proposes a ‘five-leg’ system, offering descriptive terms for these levels, which are then fleshed out in narrative statements:

  • Opposed/averse (upper limit) – risk avoidance
  • Minimalist – favoring safe, low-inherent-risk options
  • Cautious – preferring safe options with minimal residual risk
  • Mindful/open – open to all options, favoring likely success
  • Enterprise/eager (lower limit) – keen to innovate and seize opportunities, accepting uncertainty

Triggers, defined as ‘the point where escalation to a higher authority is needed due to proximity to the appetite limit,’ align with both upper and lower limits. In health and safety, such triggers are common, embedded in operational processes with pre-set acceptable risk levels and escalation protocols. In mining, these are called Triggered Action Response Plans (TARPs), akin to triggers in Deloitte’s risk appetite framework, typically using a ‘three-leg’ system:

  • Green – manageable by the workplace team (lower limit)
  • Yellow – work halts, a support team steps in to resolve and approve resumption
  • Red – work stops, senior managers intervene to address and authorize continuation

In health and safety, organizations often claim ‘zero’ risk appetite or tolerance. If taken literally, this would halt operations, as eliminating all risks with safety implications is impossible. While ‘zero’ makes a bold external statement, operational triggers with a narrow range between limits are essential, reflecting limited tolerance for such risks. A more practical approach uses triggers based on reducing risks to ‘as low as reasonably practicable’ (ALARP). Caution is needed, however, when triggers focus solely on the ‘red’ zone of a risk matrix (high impact, high probability), as this overlooks uncontrollable yet acceptable risks (e.g., regulatory changes) that are part of doing business and monitored regularly. This ‘red’ zone focus also neglects high-impact, low-probability risks (HILPs), like the Covid-19 pandemic, which wasn’t a true ‘black swan’ but was dismissed as too improbable by many, becoming an ignored ‘elephant.’ Some organizations adjust risk matrices to prioritize impact over probability, elevating HILPs’ visibility. Unit 3, Section 4’s Impact versus Action map also flagged high-impact risks lacking sufficient control. Whatever method is chosen, risk appetite criteria must address key individual risks. Ignoring HILPs in appetite discussions risks unwanted headlines. Crafting risk appetite statements is often the toughest part of ERM, but without clear, measurable tolerances, the risk management cycle and framework stall.

Monitoring risk appetite and tolerance

Crafting an organization’s risk appetite and tolerance is a time-intensive process, requiring substantial effort to establish meaningful limits and triggers that enhance decision-making and the proactive management of both opportunities and threats. Yet, these statements are merely a moment-in-time reflection and must be periodically revisited and refined, particularly when the organization undergoes significant shifts. Incorporating testing and monitoring into the risk appetite framework is therefore valuable. Five key tests can assess its effectiveness:

  • Does the framework offer actionable guidance to aid managers in decision-making?
  • Are executives aware of the cumulative and interconnected risks to judge what’s acceptable?
  • Do the board and executives grasp the aggregated and linked nature of risks?
  • Do managers and executives recognize that risk appetite evolves over time?
  • Are risk decisions weighed with a clear view of potential rewards?

Meeting all these criteria indicates a robust risk appetite framework.

The core idea is that such frameworks are effective up to a point, ensuring:

  • Risk-takers understand the objectives they’re advancing and stay within set boundaries.
  • All major risks are identified and comprehended.
  • A risk-aware mindset infuses the organization’s language, decisions, and performance evaluation, embedding it in the risk culture.

The framework outlines varying risk appetite levels across the organization:

  • High-level – Broad risk capacity, overarching risk appetite statements, measures, and limits.
  • Directional – Focus on key risk drivers with related appetite statements, measures, and limits.
  • Specific – Principles and policies to put risk appetite into practice.
  • Detailed – Precise risk appetite measures and limits.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply